Re: [Qemu-devel] [PATCH 0/3] vpc: support probing of fixed size images

[Jeff Cody <jcody@redhat.com>]

On Fri, Aug 15, 2014 at 07:13:07AM -0600, Eric Blake wrote:
> On 08/15/2014 06:28 AM, Jeff Cody wrote:
> 
> > I worry that will subtly alter current behavior in bad ways.  For
> > instance, take this image chain:
> > 
> >     qemu-img create -f qcow2 foo.img 1G
> >     qemu-img create -f qcow2 -b foo.img bar.img 1G
> > 
> >     qemu-kvm -drive file=bar.img,format=qcow2
> > 
> > 
> > If I understand correctly what you are proposing, that means that
> > qemu-kvm would detect 'foo.img' as raw, while current behavior is to
> > detect it as 'qcow2'.
> > 
> 
> Libvirt ALREADY defaults to detecting foo.img as raw, and refuses to
> grant SELinux permissions for qemu to read bar.img, which causes qemu to
> fail to start due to missing permissions.  All because probing is deemed
> too dangerous (a probe that results in an answer of "raw" is
> trustworthy, a probe that results in any other answer is suspect if the
> file has any remote chance of having once been raw).
> 
> > Although if we do that in conjunction with what Kevin proposed (forbid
> > probing on raw), it would behave 'properly', and bail out before doing
> > something bad.  That could be OK.
> 
> The problem is that you can't forbid probing on raw without forbidding
> probing almost everywhere.  Again, an answer of "raw" is trustworthy, it
> is ALL OTHER answers that are suspect.
> 
> 

I agree that raw is trustworthy (as in, the safest default).  My point
is that I think that silently changing behavior on existing chains
(not everyone uses libvirt and selinux rules) would be bad for
existing users.  I think it best to explicitly warn, and then
deprecate.